Google Apps with Microsoft Active Directory:
About Google Apps Directory Sync:
With Google Apps Directory Sync (GADS), you can automatically add, modify, and delete users, groups, and non-employee contacts to synchronize the data in your G Suite domain with your LDAP directory server. The data in your LDAP directory server is never modified or compromised. GADS is a secure tool that help you easily keep track of users and groups.
Key benefits of GADS:
- Synchronizes your G Suite user accounts to match the user data in an existing LDAP server.
- Supports sophisticated rules for custom mapping of users, groups, non employee contacts, user profiles, aliases, calendar resources, and exceptions.
- Performs a one-way synchronization. Data on your LDAP server is never updated or altered.
- Runs as a utility in your server environment. There is no access to your LDAP directory server data outside your perimeter.
- Includes extensive tests and simulations to ensure correct synchronization.
- Includes all necessary components in the installation package.
- Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.
- Never share your GADS configuration files. The files contain sensitive information about your LDAP server and your G Suite domain.
- Simulate a synchronization before you perform a real synchronization. And, simulate again whenever you upgrade GADS or change a configuration. If you don’t, you may accidentally delete an account or restrict a user.
How does it work?
Google offers a free tool called Google Apps Directory Sync. This is a program which can be installed on any system in your internal network (Windows XP/7/2003/2008, Linux or Solaris. The tool synchronizes Google Apps users with Active Directory (or other directory) users.
you must have administrator rights both in AD and your Google Apps environments. A setting in the Google Apps Control Panel called “Enable provisioning API” must be turned on.
To enable Domain Admin API access:
- Sign into the Google Admin console.
- From the dashboard, go to Security> API reference.
- CheckEnable API access.
- Click Save changes.
Step 1: Prepare your servers
Download and install Google Apps Directory Sync.
Before you begin, make sure you can meet the system requirements for Google Apps Directory Sync (GADS).
Click on the below given link to download the GADS installer:
Use the 64-bit version of GADS if you plan to install it on a 64-bit compatible server. This version performs better than other versions when you need to synchronize large amounts of data.
Step 2: Setup Configuration Manager:
Configuration Manager is a step-by-step user interface that guides you through creating, testing, and running a synchronization in Google Apps Directory Sync (GADS).
Open Configuration Manager from the Start menu (Shown in Figure GADS-1)
Specify your general settings:
On the General Settings page, specify what you intend to synchronize from your LDAP server. Select one or more from:
Define your G Suite settings:
On the Google Apps Configuration page of Configuration Manager, enter your G Suite (Google Apps) domain connection information.
Click the tabs to enter the following information:
- Connection settings: If you check theReplace domain names in LDAP email addresses box, all LDAP email addresses are changed to match the domain listed in the Domain Name
Authorizing access using OAuth:
- ClickAuthorize Now to set up your authorization settings and create a verification code.
- ClickSign in to open a browser window and sign into your G Suite domain with your super administrator username and password.
- Copy the token that is displayed.
- Enter the token in theVerification Code field and click Validate.
- Proxy settings: Provide any necessary network proxy settings here. If your server doesn’t require a proxy to connect to the Internet, skip this tab.
- Exclusion rules: Use exclusion rules to preserve information in your G Suite domain that isn’t in your LDAP system (for example, users that are only in G Suite). See more about using exclusion rules.
Exclusion rules allow you to omit specific users, user profiles, groups, organizational units, calendar resources, and other data from the Google Apps Directory Sync (GADS) process. For example, you can add a user profile exclusion rule to exclude specific user profile information that you don’t want to sync in your G Suite domain.
Define your LDAP settings:
On the LDAP Configuration page of Configuration Manager, enter your LDAP server information. After you configure the LDAP authentication settings, click Test Connection. Configuration Manager connects to your LDAP server and attempts to sign in to verify the settings you entered.
If you selected Open LDAP or Active Directory® as your LDAP server, click Use defaults at the bottom of every configuration page to quickly set up the sync with default parameter. You can then customize them to your needs.
For detail on the LDAP Configuration fields in Configuration Manager, see LDAP connection settings.
Click on Test Connection
Leave the Org Units settings and move to User Accounts
Specify what attributes GADS uses when generating the LDAP user list on the User accounts page -> User Attributes:
|Email address attribute||The LDAP attribute that contains a user’s primary email address. The default is mail.|
|(Optional) Unique identifier attribute||An LDAP attribute that contains a unique identifier for every user entity on your LDAP server. Providing this value enables GADS to detect when users are renamed on your LDAP server and sync those changes to the G Suite domain. This field is optional, but recommended.
Under Google Apps Users deletion/Suspension policy
Select -> Suspend Google Apps users not found in LDAP, instead of deleting them: Active users in G Suite will be suspended if they are not in your LDAP server. Suspended users are not altered.
Select -> Don’t suspend or delete Google Apps admins not found in LDAP
Additional user attributes: Additional user attributes are optional LDAP attributes that you can use to import additional information about your G Suite users, including passwords. Enter your additional user attributes on the User accounts page.
A brief look at how to create a user in Active Directory and then use Google Apps Directory Sync (GADS) to provision the user in your Google Apps domain.
Leave the remaining Settings like Groups, user profiles, Shared Contacts, Calendar Resources as it is.Go to
Logging: Enter the directory and file name to use for the log file or click Browse to browse your file system.
Click Simulate sync to test your settings. During simulation, Configuration Manager will:
- Connect to your G Suite domain and generate a list of users, groups, and shared contacts.
- Connect to your LDAP directory server and generate a list of users, groups, and shared contacts.
- Generate a list of differences.
- Log all events.
If the simulation is successful, Configuration Manager generates a Proposed Change Report that shows what changes would have been made to your G Suite user list.
Note: Running a simulated synchronization does not update or change your LDAP server data or your users accounts in G Suite. The simulation is only for checking and testing purposes.
When you are confident that the configuration is correct, click Sync & apply changes to initiate the synchronization.
Source: G Suite